CVE-2026-2004
Undergoing Analysis Undergoing Analysis - In Progress
Arbitrary Code Execution via Input Validation Flaw in PostgreSQL intarray

Publication date: 2026-02-12

Last updated on: 2026-02-20

Assigner: PostgreSQL

Description
Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-12
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-12
EPSS Evaluated
2026-06-14
NVD
CVE-2026-2004
EUVD
EUVD-2026-6183
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
postgresql postgresql From 18.0 (inc) to 18.2 (exc)
postgresql postgresql From 14.0 (inc) to 14.21 (exc)
postgresql postgresql From 15.0 (inc) to 15.16 (exc)
postgresql postgresql From 16.0 (inc) to 16.12 (exc)
postgresql postgresql From 17.0 (inc) to 17.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1287 The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-2004 is a security vulnerability in the PostgreSQL intarray extension, specifically in the selectivity estimator function.

The issue is caused by missing validation of the input type to this function, which allows an attacker who can create objects in the database to execute arbitrary code.

This arbitrary code execution happens with the privileges of the operating system user running the PostgreSQL server.

The vulnerability affects PostgreSQL versions prior to 18.2, 17.8, 16.12, 15.16, and 14.21.

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can have a severe impact because it allows an attacker with the ability to create database objects to execute arbitrary code on the server.'}, {'type': 'paragraph', 'content': "The code execution occurs with the operating system user's privileges running the PostgreSQL server, potentially leading to full system compromise."}, {'type': 'paragraph', 'content': 'The CVSS score of 8.8 indicates high severity, with high impact on confidentiality, integrity, and availability of the system.'}] [1]

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

[{'type': 'paragraph', 'content': 'To mitigate this vulnerability, you should upgrade your PostgreSQL installation to one of the fixed versions: 18.2, 17.8, 16.12, 15.16, or 14.21 or later.'}, {'type': 'paragraph', 'content': "Applying the official patches released by the PostgreSQL project on February 12, 2026, will address the missing input type validation in the intarray extension's selectivity estimator function and prevent arbitrary code execution."}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-2004. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart